How the CrowdStrike outage made IT supply chains the new big issue in tech

The CrowdStrike outage – which caused massive disruption in the NHS, transport, banking and wider infrastructure – means the state of global IT supply chains became one of the big tech talking points of 2024.

The unlikely talking point came to the public’s attention in July, when a far-reaching global IT outage saw transport links shut down, parts of the NHS revert to pen and paper, and even TV broadcasters unable to get on the air.

It soon emerged the issue was a defect in a software update for Microsoft Windows users from cybersecurity firm CrowdStrike, with the flaw knocking systems offline.

The widespread nature of the issue was astonishing – transport hubs around the world went offline, as did systems linked to online banking, healthcare and media organisations.

Once it was established that the incident was not security-related or a cyber attack, attention quickly turned to just how vulnerable global IT systems were to widespread problems such as this, with many experts warning that one of the root causes was an over-reliance on small numbers of firms for IT systems.

They argued that this meant that a single issue with one provider, in this case CrowdStrike, meant millions of computers around the world could be knocked offline.

At the time of the outage, experts suggested there was an element of businesses sticking with what they know in using operating systems such as Microsoft’s Windows, and also concerns about the cost of training staff to use a new and different system could be part of the issue.

Industry expert Dafydd Vaughan, chief technology officer at consultancy Public Digital, said the Government needed to do more to boost competition within supply chains.

Taking the example of the NHS, which was badly impacted by the CrowdStrike outage, he said: “EMIS – a major provider of services to GP surgeries, handling health records, appointment bookings and more – is used in more than 60% of GP surgeries in England and Wales.

“The Government needs to consider the risk that comes with so few companies controlling so much of our essential infrastructure.

“In all industries, Government should see the value of more competition in their supply chains, and work to increase the number of companies that provide these essential services and avoid monopolies controlling our national infrastructure.”

That specific issue could be something raised in 2025, but in the meantime, the Government has already taken steps to boost the protection around IT infrastructure by announcing the designation of data centres as critical national infrastructure (CNI).

This means data centres are now on the same footing as vital utilities such as energy and water, and therefore receive additional support should a major incident affecting them occur.

This decision comes in a year where another wave of notable outages – beyond just CrowdStrike occurred – including a number of repeated issues and outages linked with banking apps in the UK, other Microsoft server issues, social media platform glitches and others.

The threat of cyber-attack also remains high, with industry and security experts warning that bad actors are increasingly looking at ways to disrupt infrastructure through cyber-attacks as a way of waging modern warfare.

After coming to power in July, the Labour Government said it would introduce the Cyber Security and Resilience Bill, which would give greater power to regulators to push more firms to implement better cybersecurity defences by expanding the remit of existing regulation and put regulators on a stronger footing, as well as increasing the reporting requirements placed on businesses to help build a better picture of cyber threats to the UK.

That Bill is set to be introduced to Parliament in 2025.